GHSL-2021-1022

martinRenou · SylvainCorlay · commit 37b152c0ad04 · 2022-08-09T14:31:09.000+02:00
diff --git a/nbconvert/exporters/tests/files/notebook_inject.ipynb b/nbconvert/exporters/tests/files/notebook_inject.ipynb
@@ -60,6 +60,48 @@
       }
     ],
     "source": [""]
+   },
+   {
+    "cell_type": "code",
+    "execution_count": null,
+    "id": "b72e63fa",
+    "metadata": {},
+    "outputs": [
+      {
+        "output_type": "execute_result",
+        "data": {
+          "image/png": [""]
+        },
+        "execution_count": null,
+        "metadata": {
+          "filenames": {
+              "image/png": "\"><script>alert('png filenames')</script>"
+          }
+        }
+      }
+    ],
+    "source": [""]
+   },
+   {
+    "cell_type": "code",
+    "execution_count": null,
+    "id": "b72e63f3",
+    "metadata": {},
+    "outputs": [
+      {
+        "output_type": "execute_result",
+        "data": {
+          "image/jpeg": [""]
+        },
+        "execution_count": null,
+        "metadata": {
+          "filenames": {
+              "image/jpeg": "\"><script>alert('jpg filenames')</script>"
+          }
+        }
+      }
+    ],
+    "source": [""]
    }
  ],
  "metadata": {
diff --git a/nbconvert/exporters/tests/test_html.py b/nbconvert/exporters/tests/test_html.py
@@ -155,3 +155,7 @@ def test_javascript_injection(self):
             # Check injection in svg output
             assert "<script>alert('image/svg+xml output')</script>" not in output
             assert "<script>alert('svg_filename')</script>" not in output
+
+            # Check injection in image filenames
+            assert "<script>alert('png filenames')</script>" not in output
+            assert "<script>alert('jpg filenames')</script>" not in output
diff --git a/share/jupyter/nbconvert/templates/classic/base.html.j2 b/share/jupyter/nbconvert/templates/classic/base.html.j2
@@ -156,7 +156,7 @@ unknown type  {{ cell.type }}
 {% block data_png scoped %}
 <div class="output_png output_subarea {{ extra_class }}">
 {%- if 'image/png' in output.metadata.get('filenames', {}) %}
-<img src="{{ output.metadata.filenames['image/png'] | posix_path }}"
+<img src="{{ output.metadata.filenames['image/png'] | posix_path | escape_html }}"
 {%- else %}
 <img src="data:image/png;base64,{{ output.data['image/png'] }}"
 {%- endif %}
@@ -182,7 +182,7 @@ alt="{{ alttext }}"
 {% block data_jpg scoped %}
 <div class="output_jpeg output_subarea {{ extra_class }}">
 {%- if 'image/jpeg' in output.metadata.get('filenames', {}) %}
-<img src="{{ output.metadata.filenames['image/jpeg'] | posix_path }}"
+<img src="{{ output.metadata.filenames['image/jpeg'] | posix_path | escape_html }}"
 {%- else %}
 <img src="data:image/jpeg;base64,{{ output.data['image/jpeg'] }}"
 {%- endif %}
diff --git a/share/jupyter/nbconvert/templates/lab/base.html.j2 b/share/jupyter/nbconvert/templates/lab/base.html.j2
@@ -174,7 +174,7 @@ unknown type  {{ cell.type }}
 {% block data_png scoped %}
 <div class="jp-RenderedImage jp-OutputArea-output {{ extra_class }}">
 {%- if 'image/png' in output.metadata.get('filenames', {}) %}
-<img src="{{ output.metadata.filenames['image/png'] | posix_path }}"
+<img src="{{ output.metadata.filenames['image/png'] | posix_path | escape_html }}"
 {%- else %}
 <img src="data:image/png;base64,{{ output.data['image/png'] }}"
 {%- endif %}
@@ -204,7 +204,7 @@ jp-needs-dark-background
 {% block data_jpg scoped %}
 <div class="jp-RenderedImage jp-OutputArea-output {{ extra_class }}">
 {%- if 'image/jpeg' in output.metadata.get('filenames', {}) %}
-<img src="{{ output.metadata.filenames['image/jpeg'] | posix_path }}"
+<img src="{{ output.metadata.filenames['image/jpeg'] | posix_path | escape_html }}"
 {%- else %}
 <img src="data:image/jpeg;base64,{{ output.data['image/jpeg'] }}"
 {%- endif %}
